The effective management of all risk types within your organisation can be greatly enhanced by using a consolidated Enterprise Wide Risk Management Framework (EWRMF). However, implementing such a framework presents challenges! Here are some of the most important elements to achieving a successful EWRMF:
- Tone at the top
How the staff perceive the Boards and Senior Managements attitude, prioritisation and understanding of the risk management and compliance requirements has a direct impact on everyone in the firm, helping to set attitudes towards risk and compliance tasks, and driving their daily decision-making in the business.
The Board and Senior Management have a tough ask in setting the right tone at the top and demonstrating ‘doing the right thing’, whilst balancing the needs of the clients, employees, shareholders/partners. This tone sets the risk culture of the firm, which in turn underpins all frameworks and tools to manage risk and compliance with the regulations.
- Statements, Standards & Policies.
Statements need to clearly lay out the firm’s risk appetite and values. These need to be set with qualitative and quantitative measures and metrics, which are both current and forward looking. Monitoring of the risk appetite statement metrics against thresholds is an important tool for risk management and decision making, and fundamental to embedding the appropriate risk culture in an organisation.
The policies need to be clear, understandable, implementable, and tailored to your firm, considering your structure, governance, culture, tone and your risk appetite.
- One consistent risk and compliance framework and methodology, brought together with a simple high quality data model
One consistent framework and methodology will:
- Lower costs of risk management and compliance activity
- Ensure risk management coverage and accountabilities end to end of the processes
- Create significant resource efficiencies
- Provide convergence of risk and compliance data models into one
- Enable the single source of accurate, complete MI for management of the end to end view and analysis of risks, issues and controls/control deficiencies
- Improve the quality of risk management output and decision making.
- Clear and transparent risks and control assessments – providing quality risk data
You cannot assess or manage a risk that has not been identified. Clear and transparent risk and control assessments can provide an end to end view of all potential risks in a process.
Risk and control assessments will ideally be mapped to rules or policies, with individuals identified as the risk and control owners.
The risk and control assessment should not be viewed or interpreted by the risk owner as a criticism of their management, or their department, but as an important tool to demonstrate that they have considered thoroughly ‘what could go wrong’ both from risk and compliance with regulatory obligations, and they have the appropriate control environment in place to manage within the firm’s accepted risk appetite. Additionally, it helps them:
- Discuss priorities with Senior Management, and obtain that budget for what they need – perhaps more resource, system upgrades, training for the staff etc.
- Support their accountabilities under the Senior Manager Regime
- Drive their book of work and priorities
- Provide their risk and compliance reporting and MI
- Capability and capacity of resource
In the past, risk management and compliance resource was split into distinct areas- market risk, credit risk, operational risk, regulatory compliance, and compliance operations.
An effective enterprise risk management framework requires resource with a combination of skill sets. Budget is frequently the challenge in building an effective enterprise risk team, with the appropriate resource level. Experienced, effective risk and compliance professionals come at a premium, and Senior Management may find it difficult to invest in this non revenue generating area, along-side the high cost of implementing the current level regulatory changes. However, with fines imposed by the FCA in 2017 exceeding GBP227M, this does seem like not investing the sufficient, capable EWRMF resources may end up being penny wise and pound foolish.
6. Appropriate governance needs a feedback link- with the right KRIs
Appropriate governance within a firm is made up of several factors:
- Clear accountabilities and responsibilities for the businesses and functions
- The right MI- what do they need to know about? Is it timely? Accurate? Complete?
- Functioning governance meetings, which demonstrate real, active risk management. Within each meeting, management should be continually challenging the MI and the discussions ‘why? So what? How? What is the control? Why is it needed?’ etc.
- An appropriate feedback loop. Information on decisions, actions, next steps etc need to be timely communicated, both up and down, to the relevant individuals. Actions and decision need to be closed monitored until closure.
For more information on how 1RS can help you design and implement an effective and robust Enterprise Risk Management Framework, contact 1RS